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Abstract 

Using a human-oriented formal example proof of the (lim +) theorem, i.e. that the sum of 
limits is the limit of the sum, which is of value for reference on its own, we exhibit a non- 
permutabihty of /3-steps and ^"'"-steps (according to SmuUyan's classification), which is not 
visible with non-liberalized (5-rules and not serious with further liberalized J-rules, such as 
the (5+^ -rule. Besides a careful presentation of the search for a proof of (lim +) with several 
pedagogical intentions, the main subject is to explain why the order of /?-steps plays such a 
practically important role in some calcuU. 
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1 Motivation 

In December 2004, in the theoretical part of an advanced senior-level lecture course [4] on mathe- 
matics assistance systems, I presented a formal example proof in a human-oriented sequent 
calculus that the sum of limits is the limit of the sum (lim +). Mathematics assistance sys- 
tems are human-oriented interactive theorem provers with strong automation support, aiming 
at a synergetic interplay between mathematician and machine. PVS [26], Qmega [35], ISA- 
BELLE/HOL [23, 27], and QuodLibet [6] are some of the systems approaching this long term 
goal. 

Considering reductive calculi such as sequent, tableau, or matrix calculi, one of the functions 
of my lectures within the course was to show that — although sequents are easier to understand 
due to their locality — matrixes (or indexed formula trees [2, 37]) are not only a clever implemen- 
tation, but — more importantly for us — also needed to follow the proof organization of a working 
mathematician. To this end, I tried to give the students an idea of the premature commitments 
forced by sequent and tableau calculi, which require a mathematician to deviate from his intended 
proof plans and proof-search heuristics. 

In his fascinating book [37], Lincoln A. Wallen had criticized the non-permutability of 7- 
and 5-steps in sequent calculi, according to Raymond M. SmuUyan's classification and uniform 
notation of reductive inference rules as a, (3, 7, and 6 [36]. I explained how this non-permu- 
tability can be overcome by replacing the (non-liberalized) (5-rule (which we will call S~-rule) 
with the liberalized ^''"-rule [18]. Along the (lim -|-) proof, I then showed that with the 5^ -rule, 
however, another non-permutability becomes visible, now of the (3- and 5+-steps. Before the 
liberalization took place to make logicians glad, this non-permutability was hidden behind the 
non-permutability of the 7- and 5^ -steps} 

At that moment, the best logician among my co-lecturers contradicted the occurrence of this 
non-permutability, and insisted on his opinion when I repeated the material for an introduction in 
the next lecture. Thus, the non-permutability problems of /3-steps deserve publication. A referee 
of a previous version of this paper called this "an interesting but not too surprising result". Besides 
this hard result, following the lecture, in this paper we will address some soft aspects of formal 
calculi for human-machine interaction and publish (for the first time?) a more or less readable, 
complete, and human-oriented proof of a mathematical standard theorem in a standard general- 
purpose formal calculus in § 4. We discuss the non-permutabilities of this example proof in § 5, 
prove the non-permutability of its crucial (3- and 5+ -step in § 6, and conclude with an emphasis 
on open problems in § 7. 

Suerft rcerben tie Seute eine ©ac^e leugnen; bann rcerben fie fie toer^armlofen; 

bann roerben fte ^efc^Itefeen, fie fet fett langem 6efannt. 

— Alexander von Humboldt (cited according to [34], p. x) 
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2 Introduction to Non-Permutabilities &c. 

As explained in [37], the search space of sequent or tableau calculi may suffer from the following 
weaknesses in design: Irrelevance, Notational Redundancy, and Non-Permutahility . Unless ex- 
plicitly stated otherwise, the weaknesses described in the following apply to sequent and tableau 
calculi alike. 

Irrelevance means, e.g., that when proving the sequent 

A, A Loves(Romeo, yo)); Loves(Romeo, Juliet) 

with A and B some big formulas, we may try to prove A or -iB for a long time, 
although this is not relevant if they are false. Note that in this paper sequents are just lists 
of formulas, i.e. the simplest form that will do for two-valued logics. We call free '^-vari- 
ables (after the 7-steps, which may introduce new ones) (written as y'^ what has the standard 
names of "meta" [23] or "free" [14] variables. Indeed, free 7- variables must be distinguished 
from the true meta-variables and the other kinds of free variables we will need. The means to 
avoid irrelevance is focusing on connections, just as the one between -iLoves(Romeo, y^) and 
Loves( Romeo, Juliet). In practice of mathematics assistance systems, however, it is often nec- 
essary to expand connectionless parts to support the speculation of lemmas, which then provide 
a "connection" that is not syntactically obvious, but closes the branch nevertheless. This is es- 
pecially the case for inductive theorem proving for theoretical [20] and practical [30, 31, 32] 
reasons. 

Notational Redundancy means in a sequent-calculus proof that the offspring sequents repeat the 
formulas of their ancestor sequents again and again. This is partly overcome in the corresponding 
tableau calculi. But even tableau proofs repeat the subformulas of their principal formulas as side 
formulas [15] again and again. Structure sharing can overcome this redundancy and does not 
differ much for sequent, tableau, or matrix calculi because information on branch, 7-multiplicity, 
and fairness has to be stored anyway. As mathematics assistance systems are still far from de- 
livering what they once promised to achieve, this optimization is, however, not of top priority, 
especially because structure sharing is not trivial, but likely to block other improvements: Note 
that ^-step multiplicity requires variable renaming and that different rewrite steps may be applied 
to the multiple occurrences of subformulas.^ 

Non-Permutability is the subject of this paper. Very roughly speaking, it means that the order 
of inference steps (i.e. applications of reductive inference rules) may be crucial for a proof to 
succeed. Roughly speaking, permutability of two steps Si and Sq simply means the following: 

In a closed proof tree where Sq precedes Si and where Si was already applicable before Sq, we 
can do the step Si before Sq and find a closed proof tree nevertheless. When several formulas in 
a sequent classify as principal formulas of a-, /?-, 7-, or (^-steps, the search space is typically non- 
confluent. Therefore, a bad order of application of these inference steps may require the search 
procedure to backtrack or to construct a proof on a higher level of 7-multiplicity than necessary or 
than a mathematician would expect. Notice that the latter gives a human user hardly any chance 
to cooperate in proof construction: Who would tell the system to apply a lemma twice when he 
knows that one application suffices? 

When we do a 7-step first and a (5-step second, a proof may fail on the given level of 7- 
multiplicity, whereas it succeeds when we apply the 5-step first and the 7-step second. For 
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sequent calculi without free variables (cf. e.g. [15]) this is exemplified in [37, Chapter 1, § 4.3.2]. 
The reason for this non-permutability is simply that, for the first alternative, due to the eigenvari- 
able condition, the 7-step cannot instantiate its side formula with the parameter introduced by the 
5-step. 

This non-permutability is not overcome with the introduction of free 7-variables, resulting in 
the so-called "free-variable" calculi [14, 42]: The reason now is that, for the first alternative, the 
variable-condition blocks the free 7-variable y'' introduced by the 7-step against the instantiation 
of any term containing the free 5~ -variable introduced by the 5~-step. In Skolemizing infer- 
ence systems, however, we would have to say that y'^ becomes an argument of the Skolem term 
x^~{. . . y ' . . .) introduced by the 5~-step, which causes unification of and x^~{. . .y'' . . .) io fail 
by the occur check. 

This non-permutability is overcome in [37, Chapter 2] with a matrix calculus which generates 
variable-conditions equivalent to Outer Skolemization. As a 5+-step [18] extends the variable- 
condition only equivalently to Inner Skolemization (which is an improvement over Outer Sko- 
lemization, i.e. less blockings, or less occurrences in Skolem-terms [24]), this non-permutability 
is a fortiori overcome by the replacement of the 5~-steps with (5"'"-steps. 

Optimization Problems where a badly chosen order of inference steps does not cause a failure 
of the proof (at the current level of 7-multiplicity) but only an increase in proof size, are not 
subsumed under the notion of non-permutability. A typical optimization problem is the follow- 
ing: The size of a proof crucially depends on the /?-steps being applied not too early and in the 
right order. This is obvious from a working mathematician's point of view: Do not start a case 
analysis before it is needed and make the nested case assumptions in an order that unifies identical 
argumentations! 

Thus, assuming an any-time behavior of a semi-decision procedure for closedness running in 
parallel {simultaneous rigid E-unification is not co-semi-decidable [13]), the folklore heuristics 
is somewhat as follows: 

Step 1: Apply all a- and 5-steps, guaranteeing termination by deleting their principal formulas 
from the child sequents (either directly syntactically in sequent calculi, or indirectly by some 
bookkeeping for search control in tableau calculi). 

Step 2: If a 7-rule is applicable to a principal formula that has not reached the current threshold 
for 7-multiplicity in some branch, do such a 7-step, namely the one with the most promising 
connections, and then go to Step 1. 

Step 3: If a /?-rule is applicable, then apply the most promising one, deleting its principal formula 
from the sequents of the side formulas, and then go to Step 1. Otherwise, if a 7-rule is applicable, 
then increase the threshold for 7-multiplicity, and then go to Step 2. 
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3 Background Required for the Example Proof 

Before we go on with this abstract expert-style discussion in § 5, we do the proof of (lim+) in 
§4. To this end, we now present a sub-calculus of the calculus of [42], whose development 
was driven by the integration of Fermat's descente infinie into state-of-the-art deduction, with 
human-orientedness as the second design goal. The calculus uses variable-conditions instead of 
Skolemization. Variable-conditions are isomorphic to Skolemizaton in the relevant aspects of this 
paper, but admit the usage of simple variables instead of huge Skolem terms. This improves the 
readability of our formal proof significantly. We assume the following sets of variables to be 
disjoint: 

free '^-variables, i.e. the free variables of [14] 
V<s free 6-variables, i.e. nuUary parameters, instead of Skolem functions 
Vbound bound variables, i.e. variables to be bound, cf. below 

We use 'l±l' for the union of disjoint classes. We partition the free (5-variables into free 5~ -vari- 
ables and free 6^ -variables: = V^- l+l V4+. We define the free variables by V^ec := l+l 
and the variables by V := Vbound W ^bcc- Finally, the rigid variables by V^4+ := V^ l+l V<s+. We 
use Vk{r) to denote the set of variables from Vfe occurring in r. We do not permit binding of 
variables that already occur bound in a term or formula; that is: Vx. A is only a formula if no 
binder on x already occurs in A. The simple effect is that our formulas are easier to read and 
our 7- and 5-rules can replace all occurrences of x. Moreover, we assume that all binders have 
minimal scope. 

Let cr be a substitution. We say that cr is a substitution on X if dom(cr) C X. We denote 
with Tcr' the result of replacing each occurrence of a variable x e dom(a) in F with cr(x). 
Unless otherwise stated, we tacitly assume that all occurrences of variables from Vbound in a term 
or formula or in the range of a substitution are bound occurrences (i.e. that a variable x e Vbound 
occurs only in the scope of a binder on x) and that each substitution a satisfies dom((j) C V^ee^ 
so that no bound occurrences of variables can be replaced and no additional variable occurrences 
can become bound (i.e. captured) when applying a. 



Definition 3.1 (Variable- Condition, a-Update, i?-Substitution) 

A variable-condition is a subset of V^ee x V^oo- 

Let Rhea variable-condition and a be a substitution. The a -update of R is 

i? U { {z'"'% x'"^") I x'"" e dom((7) A z''"" G Vt,^{(T{x'""')) }. 

a is an R- substitution if cr is a substitution and the cr-update R' of R is wellfounded, i.e. for any 
nonempty set B, there is a 6 e -B such that there is no a e 5 with a R' h. 

Note that, regarding syntax, (x'^'^'"', y^'""') e i? is intended to mean that an i?-substitution a must 
not replace x'""" with a term in which y^'""' could ever occur. This is guaranteed when the a- 
updates R! of R are always required to be wellfounded. Indeed, for z^""" G Vi,^^{(j{x^''°^)), we get 
z^""' R! x'"^"" R' y^'"", blocking z'''""' against terms containing In practice, a cr-update of R can 
always be chosen to be finite. In this case, it is wellfounded iff it is acyclic. 
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Let A and B be formulas. Let F and U be sequents, i.e. disjunctive lists of formulas. Let 

X G Vbound be a bound variable, and let JF be the current proof forest, such that V(J^) contains 
all variables already in use, especially those from F, il, and A. Note that A is the conjugate of 
the formula A, i.e. i? if A is of the form -^B, and -^A otherwise. 


n nilr- " • r 77 r (AvT?) 77 r ^{Aab) n r (a^b) n 
°o A r n A B r n a b r n a b r n 


r {A^B) 77 
A s" r 77 


q ™,lp. /3 . r (AA7?) 77 r ^{AyB) 77 r ^(A^73) 77 
jj-i uic» Ari7 ~A r n a r n 
02 B r n ~B r n 'b r n 


r -^{A-i=B) 77 

~A r ij 


B r n 


7-rules Let t be any term (by default a new free 7- variable): 




r 3x.A 77 


r -Nx.A 77 


A{x^t} r Bx.A 77 A{x^t} 


r -Mx.A 77 


^'"-rules /i-'. Let x*" e V^- \ V(.F) be a new free ^"-variable: 

7-1 \-/_. /( TT 

i yx.A 11 






A{x^x^} F n V^,.{F yx.A n) X {x^} 




F ^3x.A n 




A{x^x'-} F n V^s^{F -^3x.A il) x {x^} 




(5+-rules g+^^s+y Let x^'^ e Vs+ \ V(JF) be a new free 5+- variable: 




F yx.A n {{x'\ A{x^x'*})} 
A{x^x'^} F n Vfree(Vx.A) X {x'^} 




F ^3x.A n {{x'\ A{x^x'*})} 




A{x^x'^} F n Vf,ee(-3X.A) X {x'^} 





Figure 1 : The reductive rules of our calculus 



3.1 Inference Rules for Reduction Within a Proof Tree 

In Figure 1 , the inference rules for reductive reasoning within a tree are presented in sequent 
style. Note that in the good old days when trees grew upwards, Gentzen would have inverted the 
inference rules such that passing the line means consequence. In our case, passing the line means 
reduction, and trees grow downwards. 

All rules are sound and solution preserving for the rigid variables in the sense of [42, § 2.4]. 
Thus, updating a global variable-condition R, we can globally apply any i?-substitution on any 
subset of without destroying the soundness of the instantiated proof steps. 

Instead of an eigenvariable condition, the 5~ -rules come with a binary relation on variables to 
the lower right, which must be added to the current variable-condition R. The 5+-rules come with 
an additional relation to the upper right, which has to be added to the R-choice-condition C. This 
choice-condition is an optional part of the calculus. It may store a structure-sharing representation 
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of an £-tenn [19, 16, 41] for a free 5+-variable, which may restrict the possible values of this 
variable. As they play only a marginal role in the example proof of § 4, we do not have to discuss 
choice-conditions here. Note, however, that without a choice-condition, the 5+-rules would only 
be sound but not solution preserving, cf. Example 5.1. 

Indeed, the calculus contains dijf event kinds of 5 -rules in parallel. Therefore — to be sound — 
the 5~-rules have to refer to the the free ^"'"-variables introduced by the 5+-rules in their variable- 
conditions, and vice versa. 

3.2 Lemma Application Between Proof Trees 

The reason why we spoke of a proof forest T in Figure 1 is that a proof may be spread over 
several trees that are connected by generative application of the root of one tree in the reductive 
proof of another tree, either as a lemma or as an induction hypothesis. While the application of 
lemmas must be wellfounded, induction hypotheses may be applied to the proof of themselves 
and mutually. In this paper, we only need lemma application. 

Lemma application works as follows. When a lemma Ai, . . . , is a subsequent of a leaf 
sequent T to be proved (i.e. if, for alH e {1, . . . , m}, the formula A^ is listed in F), its application 

closes the branch of this sequent {sub sumption). Otherwise, the conjugates of the missing for- 
mulas Ci are added to the child sequents (premises), one child per missing formula. This can be 
seen as Cuts on Ci plus subsumption. More precisely — modulo associativity, commutativity, and 
idempotency — a sequent Ai, . . . , A^-, Bi,. . . ,Bn can be reduced by application of the lemma 
Ai, . . . , Am, Ci, . . . , Cp to the sequents 

Ci, Ai, . . . , Am, Bi, . . . , Bn ■■■ Cp, Ai, . . . , Am, Bi, . . . , Bn- 

In addition, any time we apply a lemma, we can replace its free 5" -variables locally and arbi- 
trarily, except those free 5~ -variables that depend on rigid variables which (in rare cases) may 
already occur in the input lemma. More precisely, the set of free 5~ -variables of a lemma we 
may instantiate is exactly 

{ y'-eV,-{'P) I V,s.{^)x{y^} c R}. 

Typically V^s+{^) is empty and no restrictions apply. Note that we also may extend this set of free 
5~ -variables by extending the variable-condition R. This instantiation of outermost 5 -variables 
mirrors mathematical practice, saves repetition of initial (5-steps, and is essential for induction, 
where the weights depend on these free ^"-variables to guarantee wellfoundedness. There will be 
a sufficient number of self-explanatory examples of application of open lemmas (i.e. yet unproved 
lemmas) in § 4. 
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zT<zr 



6 ' 



d- 

105 



4"<min(^fo,2;fi), z^^z 



In the proof below, (2), (3), (4), (5), (6), (7), (8), (9) (where the boxes around the formulas just 
indicate the matching in the lemma application) and F, S, 0, Q and a and t abbreviate the 
following lemmas and sequents and substitution and term, respectively: 

(2) 
(3) 
(4) 
(5) 

(6) 

(7) 
(8) 
(9) 

r: 



zV<z'- 



4iz 



zV-,+z^^<z^^+z^ 



^12 

h— < £*" 



15' 



^12 



^13^^15 



35. 



9- 



0<ef =^ 35f>0. \/xf^xl 
0<5 A yx^x^. 



\xf-x'~\ 



<5f 



3Sg>0. \/Xg^X^. 

i(.r( 



\ — I P ^0 I 

+g'-{x)) - {yf+y'l 
< S 



< e" 



0<5^ A yxy^x^o , 



\{r{^)+9nx))-{yf+y^;)\<e-y 



\x—Xq \ < 5"' 



•7 



0^<, -^Mxg^x'-. ' '^^^^^^ yl\<^9 



v^g^^o- ^ \x„-x^\ < 5'; 



Figure 2: Global abbreviations for the proof of § 4 
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4 The (lim +) Proof: Limit Theorem on Sums in R 

4.1 Explanation and Initialization 

Compared to the proof of (lim+) as presented in the lecture courses, the version we present 
here admits a more rigorous argumentation for non-permutability of (3 and 5+ in the following 
sections.^ 

By standard mathematical abuse of notation, we want to prove the theorem 
(lim +) lim ( f^{x) + g^{x) ) = lim f~{x) + Um g^~{x) 

Before we start the formal proof, we expand (lim+) into a better notation: 

/ lim^r(x) = yf \ 

Warning: The "=" here is still no real equality symbol! What is it, then? Something like 
lim ( x^sini ) =0, formally say limta- = i! (definiendum), is defined by the formula 

idefiniens) 

V£>0. 3(5>0. Vcct^z. ( %-t'\ <e ^ \x-z\ < 5 ) 

Note that V£>0. A and 36>0. B and Mx^^z. C (definienda) abbreviate Ve. (0<£ =^ A) and 
36. {0<S A B) and Vx. {xy^z => C) (definientia), respectively. Thus, if — in what follows — 
we speak of an expansion of "\/e>0. ..." (from definiendum to definiens) or simply of an 

expansion of \/ , we mean the replacement of V£>0. A with Ve. {Q<e ^ A) for some formula A 
in a reductive proof step. Analogous proof steps are meant by expansion of 3 and expansion 
of lim, respectively. We will often reorder the formulas in the sequents without mentioning it. 

We initialize our global variable-condition R by := 0, and our global i?-choice-condition C 
by C := 0. 

4.2 Expanding the Proof Tree with Root (1) 

By two CK-steps and expansion of lim from definiendum to definiens, we reduce (1) to its single 
child (1.1), writing (1^) for (1.1): 

(P): v£>o. 35>o. vx^<. ( \^fy)+3y) - (yr+<)i < - Y 

y — 1 3/ I / 

lim r(a;) 7^ , lim ^ 



By expansion of "Ve>0. . . ." from definiendum to definiens, then a 5 - and an a-step, and 
finally expansion of 3 and some reordering of the listed formulas we reduce this to: 

(13): 3. ( 0<. A V.,<. ( ^ l:"?^" - ^''^''^^ " ) ) . 

0^£^ lim 7^ J,;, lim 9^1) 7^!/; 



A 7-step yields: 
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Note that the (1^) at the end of the sequent (1^) means that the whole parent sequent is part of the 
child sequent. 

Expanding lim and V, plus a 7-step, each twice, we get (cf. Figure 2 for S): 



\ <^ |Xg Xq I <- Og 



A /9-step and an expansion of 3, each twice, yield: 

l^?'><;)-2/ri < 



9 

|r(x^)-2/f I < £} 



;l^3): .3., ( o<., A v.,^<. ( ^ j;?|^:^J; ) 



35,. 0<5, A Va;,^<. 



A ^''"-step applied to the first formula at (1^.3) yields: 

(l^3.l): o<.^ A . ( ^ I < ^' 

where is extended with {xq, /*", y^, e^} x {5^"^}, and the choice-condition C with: 



(9 



4.3 A Bad Hirn 

Now we do an early /9-step against the folklore heuristics presented in § 2. This will make the 
whole following subproof fail! A reader who is interested only in a successful example proof 
may continue reading with § 4.6. 

(1^.3.1.1): Q<5\ e 

(l^3.l.2): ( ^ - I < ) . e 
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A (5+-step, two a-steps, and expansion of V, applied to (1^.3.1.2), yield: 

(1^.3.1.2.1): W. ( ^ ( ^ lirifl:*;'^" - " " ^' ) I . « 

where R is extended with {xq, g^, y^, e^} x {5g}, and C with: 

A 5+-step and two a-steps yield (cf. Figure! for t): 

(15.3.1.2.12): x''=x^, t < £^ \x''-x'o \ ^ 5^ O 

where i? is extended with {.Tq", /^", , y^, 5"'} x {x^^} 
and our i?-choice-condition C with 

{ a;*^ x'V^o" ^ ( t < <^ |a;*^-xf | < S"' ) ) } 

Expansion of V and a 7-step, each twice, yield: 
(1^3.1.2.13): ^ ( ^ 

3^9^% ^ \x'^g-x%\ < 6'g 

x'^*=Xq, t < \x'^^-X^\ ^ J^, 



4.4 Partial Success 

2 /3-steps, each twice, yield: 

(1^.3.1.2.13.1): xjy^x'o, x'^=xf;, ... 
(15.3.1.2.1^.2): xl^x'o, a;*"=<, ... 
(15.3.1.2.1^.3): \x}-x'o \ < Sf, \x'^-x^\ it S"', ... 
(15.3.1.2.1^.4): \xl-x^\ < (5f , \x'^-x'q \ 5\ ... 
(15.3.1.2.1^.5): \r{x}) - I ^ e}, \g^{xl) - ^ s^, 

x'^^x^, t < e^, \x'^-x^\ ^ S\ n 



And now? By formula unification and some basic knowledge of the domain, we can easily see 
that global application of the substitution a from § 4.1 admits to close the branches of the first 
four sequents. According to Definition 3.1, this adds 

{{x'\x}),{x'\xi),{5f,5''),i5';,5-')} 
to our variable-condition R, which, luckily, stays acyclic, cf. the acyclic graph of Figure 5 in 
§4.8. (15.3.1.2.13.1) and (15.3.1.2.1-^2) become logical axioms. Applying lemma (2) of Figure 2 
instantiated via {y^^Sf, z^~i-^6f} we reduce (15.3.1.2.1^.3) to: 

(15.3.1.2.1^.3.1): miii{Sf,5';)^Sf, \x''-x^\<5f, \x''-x^\ mm{5f,5';), ... 



which is subsumed by the transitivity lemma (3) of Figure 2. 
(15.3.1.2.1^.4) can be closed analogously to (15.3.1.2. l3.3). 
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ag, lim, V, 5q (s^ ), ao, 3 




5+(5f) 



1^3.1) 



(1^3.1.1) (1^3.1.2) 



5+(5f),a2,V 

(1^3.1.2.1) 
(15.3.1.2.12) 

(1^3. 1.2. r^) 

Figure 3: Non-Permutability of /? at (1^3.1) and (5+ at (1^3.1.2): 
No chance to prove 0< mm{6f, S^g) at (1^.3.1.1) 



4.5 Total Failure 



Abstractly, our proof tree looks as in Figure 3. By the application of a, (1^.3.1.1) has become 

0<min(5}',5*'), ^ 

If the first formula — which is the only new one as compared to its parent sequent — is irrelevant 
for the proof of (1^.3.1.1) (in the sense that it is not contributing as a principal formula, cf. [15, 
30, 32]), then we had better prove (1^.3.1) instead, because this saves us the proof of the whole 
/?2-subtree of (1^3.1). But look: S'J is not introduced before (1^3.1.2.1), which in (1^3.1.2.12) 
results in the context 0^(5^, 0^^^^ (as listed in J? of Figure 2) with which we could prove 
0< mm{S'j, Sg"^) by lemma (4) of Figure 2. Thus, the /3-step applied to (1^.3.1) does not have 
any benefit unless it is done below (1^.3.1.2.1). 
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Now, we have three possibilities in principle: 



1. We can backtrack to (1^.3.1), deleting all its sub-trees. 




be satisfiable, for which we again lack the context. 

3. We can prove (1^.3.1.1) by proving its subsequent O. As O is already a subsequent 
of (1^.3.1), this means that we could prove already (1^.3.1) this way. Thus, the whole 
subproof below (1^.3.1.2) could be pruned. Moreover, as we would have to expand the 
principal 7-fonnula of (1^) a second time, resulting in a higher maximum of 7-multiplicity 
than necessary, the following lemma holds. 



Lemma 4.1 Using the reductive rules of Figure 1 with a -multiplicity threshold of 1, the cur- 
rent proof tree (with the partial instantiation a) cannot be expanded and instantiated to a closed 
proof tree at (1^1), (1^-2), and (1^.3.1.1) in parallel. 

For a proof of Lemma 4.1 cf. § 6.1. Note that the validity of Lemma 4.1 depends on the 5~- 
and 5+-rules being the only (5-rules available. With 5"*'^ -rules the situation would be different, 
cf. § 5.4. Moreover, as our proof trees are customary AND-trees (and no AND/OR-trees that 
admit alternative proof attempts as in [5, 6]), Lemma 4.1 means that the whole proof attempt is 
failed for a 7-multiplicity of 1. 



4.6 Backtracking to the Path of Virtue 

Item 1 in the above list is the only reasonable alternative. Therefore, let us restart from (1^.3.1) 
— not without storing a and its connections before. 

Applied to (1^.3.1), one 5+-step, two a-steps, two expansions of V, and two 7-steps yield as in 
§ 4.3 and with the same extensions of R and C: 



(1^3.1^): 





\f'-{x])-yf\ < e 



xi-xf:\ < S' 



.7 



/ 



) 



) 
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, B, C, Q 



A, B, C, Q 



A, B, 0<5-', n 




■■■-{y7+y7)\<^' 



x-x^\ < (5^ 



B and C denote 



Here A denotes the formula ^(^ |/* ixj)-yj \ < ej < 

the second and third /3-formula of the sequent (1^.3.1^), respectively. And il the sequent at the 
second (P2-) child of the root without the second /^-formula, i.e. without the third /^-formula 
of (1^3.l2). 



Figure 4: Non-Permutability of /3 at (1^.3.1^) and 
/3 at the /32-child of (1^3. 1^): 
No chance to prove x^t^Xq" at leftmost leaf 



Now we have to expand one of the three first /9-formulas of (1^.3.1^). Note that the third one 
is the one whose expansion made our proof fail before. We have learned that the path of virtue 
is narrow! What about taking the first /3-formula? This would result in the subtree depicted in 
Figure 4 above! Its first /3-step can represent progress only if the first (Pi-) child is easier to prove 

than the root itself. But the only reasonable connection of its single new formula 



IS to 



the third formula 



of the rightmost leaf; via a. Thus, we would have to copy the proof 

Starting below the second {(32-) child of the root to its first child. But, if we do so, this proof 
will fail again, due to the following reason: To close the copied subproof we need the connection 

of the rightmost leaf and the positive subformula 



between the fourth formula 



X 



~Xrt 



of the formula A; via a, (2), and (3) as at the end of § 4.4. But this connection 

is only available at the original position and not at the position the subproof is copied to, because 
the positive subformula is part of the /?2-side formula A of the /3-step at the root. All in all, this 
shows that expanding the first /3-formula of (l'^.3.1^) leads to a failure of the proof on the current 
threshold for 7-multiplicity again. By symmetry, the same holds for the second. Thus, we take 
the third. Notice that the /?-step we have to do now is the one whose too early application made 
us backtrack before. 
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A /?-step to the third /3-formula of (1^.3.1^), and expansion of V yield: 



(15.3.12.1): 0<5^ O^Sf, O^S'g, ... 



(15.3.1^.2): 



\f 



-Vfl < 
< 



■f 



\/x. ( XJ^Xq 



\^f '^0 I ^ 

\9'~ixl)-y';\ < el 

\{nx)+g^{x))-{y^+y' 
\x-x^Q I < 5'' 



< e" 



As a (5~-step with the first formula of the last line of (1^. 3. 1^.2) as principal formula would block 
the later instantiation of and x^ with the newly introduced free 5-variable, for the proof to 
succeed on the current threshold for 7-multiplicity, we have to take a 5+ -step instead. Note that 
this was not yet a problem for the sequent (1^.3.1.2.1) of § 4.3, in which xj^ and x^ did not occur 
yet. Besides the 5'^-step extending R and C as in § 4.3, we do two a-steps. This results exactly 
in what was seen before at the end of § 4.3, with the exception of a different label: 

ir(x})-i/f I < £} 



(15.3.1^.2.1): 



x" 



nf'~^ — J- rf^ 



< Sf 
^'xZ)-y^\ < el 



f -^0 
\xl-x^\ < 5f 



9 "-O 

x'^-x^\ ^ 5-< 



n 



Again, two /3-steps, each twice, yield: 



(15.3.12.2.1.1) 
(15.3.12.2.1.2) 
(15.3.12.2.1.3) 
(15.3.12.2.1.4) 
(15.3.12.2.1.5) 



o\<S\ ... 
\r{x})-yf\^e}, \g^{xl) - y^\ ^ el, 



I "/ ^- 



S+ s— 
I < ^/ ' 



I 8+ 

tXj n 



I fl+ ^— 

/y" ryt'-' 



x^^^x^, t <e^ 



\x 



As before in § 4.4, application of a admits the closure of of the four branches of (l5.3.l2.2.1. [1-4] ). 
But now, contrary to what made us backtrack before, (1 5.3.12.1) becomes 

which is subsumed by an instance of lemma (4) of Figure 2. 
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4.7 A Working Mathematician's Immediate Focus 

Note that (l'^. 3. 1^.2. 1.5) would have been the immediate focus of a working mathematician. He 
would have sequenced all the lousy /5-steps after doing the crucial steps of the proof which we can 
do only now. Notice that the matrix ( indexed formula tree) versions of our calculus will enable us 
to support this human behavior in the follow-up lectures. Let us repeat (1^.3.1^.2.1.5) with some 
omissions and some reordering: 

where t <£^ actually reads (with some added wave-front annotation to be used in § 4.8) 



(rM+^^) - (t/f+y-) I < L^^j 



Now the essential idea of the whole proof is to apply the lemma (5) of Figure 2 via 



(1^3.12.2.1.5.1): 



y} 



y*"}, by which we get: 



ti\f^{xn-yf\ + \9^{xn-y 



t < e' 



\f^{xn-yf\ it s}, \9'-{xn-y';\ it e;, 



4.8 Automatic Clean-Up 



The rest of the proof is perfectly within the scope of automatic proof search today. When we 
apply the other transitivity lemma (6) of Figure 2 to (1^.3.1^.2.1.5.1) as indicated by the single 



and double boxes in the goal and the lemma, via { i-^ t, z^ 



s- 
'6 



e^, z^ 



x'l-yl\ }' we get: 



ir(x-)-i/fi + 



(1^3.1^.2.1.5.12): \f^{xn-yf\ + \9^{xn-yl 



< r' 



f^{xn-yf\ < e} 



g^{xn-yn < e 



In [44] even the step from (1^.3.12.2.1.5) to (1^.3. 1^.2.1. 5. 1^) is automated with the wave-front 
annotation of t < as given in § 4.7 (which is generated by the givens of |/*~(a;* )— < 
and \g^{x^'^)-y^\ < in the context of t < in (1^.3.12.2.1.5)), provided that the following 
lemmas (annotated as wave-rules) are in the rippling system: 



(4+4) 



[4-4) + (4-4) 



< z, 



6 ' 



<4 



Applying lemma (7) of Figure 2 (monotonicity of +) in the obvious way, we get: 
(1^3.12.2.1.5.1^): \f 



xn-y'; 



1 + 


Ig^ix^l 




1 + 


\g^{xn 





< e 



d- 



The ^^-substitution {eji— ^''g'^^} closes the remaining open branches of (1^.3.12.2.1.5.1^) 
and (l^.[l-2]) with the lemmas (3), (8) and (9), respectively. The final variable-condition is 
acyclic indeed. Its graph is depicted in Figure 5 below. The whole proof tree with a minor 
permutation of the critical /?-step is depicted in Figure 7 in § 6.2. 
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r < 

Figure 5: (Acyclic) Variable-Condition R. 

With dotted edges: Final State in § 4.8. 
Without dotted edges: 

State after application of a, both in § 4.4 and in § 4.6 




5 Discussion 



Now that the non-permutability of P at (1^.3.1) and 5+ at (1^.3.1.2) (cf. Figure 3) as well as the 
non-permutability of P at (1^.3.1^) and P at (1^.3.1^.2) (cf. Figure 4) have become practically 
evident by the proof of (lim-|-) in § 4, we may ask: JVhy did the co-lecturer not believe in what 
he saw? 

He knew that the only problem with the sequencing of /3-steps that occurs either with the 5~- 
rules or else with the 5+ -rules [9] is that a bad choice makes the proofs suffer from the repetition 
of common sub-proofs, which is an optimization problem not subsumed under the notion of non- 
permutability, cf. § 2. 

Thus, we have to make it even clearer why the 5+ -rules are so much in conflict with the 
/3-steps. 
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5.1 Non-Permutability of j3 and (3 is only a Secondary Problem 

Notice that the non-permutability of /? and 5^ is the primary problem and the only one we have 
to explain. It causes the non-permutability of jS and {3 we have seen in Figure 4 as a secondary 
problem: Indeed, the 2"^ /?-step in Figure 4 must come before the 1»' /?-step simply because the 
2"'' /3-step generates the principal 5-formula of the 5o^(a;^'^)-step resulting in the rightmost leaf, 
and this 5(j"(a;'' )-step must come before the l^' /3-step; namely for the leftmost leaf's first for- 
mula x^^^Xq to be of any use in the proof. This means that 

2'"'/3 <superformula {x ) </3-5+-non-pennutability 1*'/^ 

causes the non-permutability of h'l3 and 2'"'/3 by transitivity. 

5.2 S~ instead of 

Let us see how the proof of (lim-|-) would look like with the 5~-rules as the only 5-rules avail- 
able. Roughly speaking, in the proof of § 4, we have to replace each free 5+-variable with a 

free (5~ -variable and check how the variable-condition changes: S^{5'j^) and So{5^) applied 
to(1^3)of §4.2and(1^3.1.2)of§4.3(cf. Figure3)add {e}, e^, S''} x {Sf} and {£},£;;,5^}x 
{S^~} to the initially empty variable-condition i?, respectively. Sq{x^) appliedroughly at (1^.3.1.2.1) 
adds {e},el,6''} x {x"~} later. 

Thus, after applying 

the (7 "-updated variable-condition is extended by 

{ix^,x}),ix^-,xl),{5f,m5^;,5^)} 

and looks as in Figure 6 above. Compared to the graph of Figure 5, it is small but cyclic: Among 
others, the two curved edges at the very bottom are new and cause the cycles. Thus, a~ is no 
i?-substitution at all and cannot be applied. 

Therefore, in our example proof of § 4 as depicted in Figure 3, we have to move the 7-step 
applied to (1^) down below (1^.3.1.2.1). Note that we cannot move it deeper because it has 
to preceed the step 5q{x^): Indeed, the principal formula of this 5~-step is a subformula of the 
side formula of the 7-step. A fortiori, this movement of the 7-step applied to (1^) forces the 
problematic /3-step at (1^.3.1) to be moved below (1^.3.1.2.1), too; simply because its principal 
/3-formula is the side formula of the 7-step. 

Indeed, if we replace the 5+-rules with 5~-rules, the non-permutability of the /3- and the 5'^- 
steps is hidden behind the well-known non-permutability of the 7- and the 5~ -steps, cf. § 2. Only 
when the latter non-permutability is removed by replacing the 5~-rules with 5+-rules, the former 
becomes visible. 
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5.3 Free (5+ -Variables can Escape their Quantifiers' Scopes 

The non-peraiutability of the and ^"'"-steps is closely related to the following strange aspect 
of the ^"'"-rules, which they share with the 5+^-rules [9], the 5*-rules [7], and the 5**-rules [11], 
but not with the 5^ -rules [16] and the 5~-rules. While soundness of both the S~- and ^"'"-rules 
and preservation of solutions of the 5~ -rules are immediate, the preservation of solutions of the 
(5'*"-rules requires the restriction of the values of the free ^"'"-variables by choice-conditions [42, 
Theorem 2.49] . Although there is no space here for introducing the semantics of the several kinds 
of free variables of [42], the reader may grasp the idea of the following example, namely that a 
solution for that makes the lower sequent true, may make the upper sequent false: 

Example 5.1 (Reduction & Liberalized 6, [42, Example 2.29]) 

In [42, Example 2.8], a 5+-step reduces \/y. ^P{y), P{x''), . . . 

to -^P{yn, PM, ••• 

with the empty variable-condition R :— $. 

Let us first argue semantically: The lower sequent is (e, 5)-valid for the (5, i?)-valuation e given 
by 

e{x''){S) - 5{yn, 

which sets the value of x'' to the value of y^''. The upper sequent, however, is not (e, 5) -valid 
when P^{a) is TRUE and P^{b) is FALSE for some a, b from the universe of the structure S. 
To see this, take some valuation 5 with S{y^'') := b. Then a;^ and y^^ both evaluate to b, the lower 
sequent to TRUE, FALSE, and the upper sequent to FALSE, FALSE. 

No matter whether this semantical argumentation can become clear here, the following syn- 
tactical variant will do similarly well: After applying the i?-substitution 

fj,+ — ^x''^y^^}, 

the lower sequent is a tautology, whereas the upper sequent is not. 

This cannot happen with the 5" -rules: Their application instead of the 5"'"-rules adds {{x~', y^)} 
to the variable-condition, thereby blocking 

^- — {x-'^y^}, 

simply because is no {(x'', substitution, cf. Definition 3.1. 

From a semantical point of view, however, the e displayed above is no {S, i?) -valuation for 
the extended variable-condition anymore. 

Roughly speaking, via /x"*", the ^"'"-variable y''^ escapes the scope of the quantifier yy on the bound 
variable y which was eliminated by the introduction of y*^. At least with matrix calculi and 
indexed formulas trees [2, 37], this "escaping" is a natural way to talk about this strange liberality 
of the 5+-rule. And it also happens in Figure 3 of the proof of (lim-|-) : Taking the tree of Figure 3 
to be an indexed formula tree, roughly speaking, the quantifier for is situated at the term 
position (1^.3.1.2), but, via a, it escapes to term position (1^.3.1.1). 
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5.4 (5+ instead of (5+ 

Let us see how the proof of (Um+) would look like with the (J"*"^ -rules [9] as the only (5-rules 
available. This does not change anything in the proof as given in § 4, but allows us to use the 
identical free 5+-variable 6^" again when repeating the S-step which introduced it. Thus, starting 
from (1^.3.1.1) of §4.3, we can repeat some of the steps done in proof of (1^.3.1.2), namely 
" 5+{5'J), al " of Figures, but now as " 5+^(5'^), ". Note that the 5+-ruIes would allow 

^oi^a) only, with new 5q. The resulting sequent is 
(1^3.1.1.1): 0<uim{Sf,5'g), Q 

It is like (1^.3.1.2.1) of § 4.3, but with the /32-side formula of the critical /3-step replaced with the 
/3i-side formula 0< min((5j , b^^^. This formula admits to close this branch with the formulas 
0^5j and 0^5^"^ (as listed in Q of Figure 2), applying lemma (4) of Figure 2 as at the end of 
§4.6. 

Notice that this proof with the 5"*"^ -rules does not have a higher number of 7-steps than the 
proof attempt failing in § 4.5. Also the maximum number of 5-steps per formula and per path is 
still 1. Nevertheless, the multiple expansion of the same 5-formula in different paths is somehow 
counter-intuitive and nothing a working mathematician would expect. In indexed formula trees 
based on the 5+^ -rules, all 5-formulas are treated only once. This again means that these matrix 
versions are more human-oriented than the tableau or sequent versions. 
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6 Proof of the Non-Permutability of f3 and 5^ 

As we have seen in § 5.2, the non-permutable /?-step necessarily follows a 7-step that would be 
non-permutable without the liberalization from S~ to S^. It follows indeed necessarily, because 
the principal formula of the /3-step is the side formula of the 7-step. Although 

• the 7-step 7o(min((5y^, 5^g)) is permutable with the liberalized 5+-step 5Q{5"g), 

• the 7-step 7o(min(5^~, 5*")), however, is non-permutable with the 5~-step Sq{S^), 

and even with the liberalization 

• the /3-step is still non-permutable with the ^"'"-step 6^(6^^). 

As the principal formula of the /3-step can be regenerated by a second expansion of the principal 
formula of the 7-step, we cannot prove the non-permutability unless we restrict the 7-multiplicity. 
But, according to the description of the notion of non-permutability in § 2, we may indeed restrict 
the 7-multiplicity, in which case the crucial step, namely Lemma 4.1, admits the following se- 
mantical proof. 



6.1 Proof of Lemma 4.1 at the end of § 4.5 

Let us remove the three 7-formulas which form the sequent F (cf. Figure 2) from the sequents 
(r'^.l), (1^.2) (cf. §4.2), and (r'^.S.l.l) (cf. §4.3). As these 7-formulas were already once ex- 
panded at (1^) and (1"^) (cf. Figure 3), this removal represents a restriction of the 7-multiplicity 
of the removed 7-formulas to 1, and results in the following sequents (after some reordering): 



(lM\r+): 0<e}, O^e'-, 



0< mm((5f , (5f ) A VxT^a;^. Vi • ^ 

\r{xf)-yf\ < e) ■ 



n35/>0. MXf^X^. 



\xf~x^\ < 5f 



0<mm(^f,(5f) A Vxy^a^r. ^'^ Vi • /r«+ rf+N 

;i5.3.1.1\r+): 0<min((5f,5f), 0^£^ 

ir(x;)-i/f I < £} 



0<5f A Vx/^<. 

n3^,. ( 0<5, A MXg^X^. 



\xf—XQ I < (5j 



The related variable-condition R is shown in Figure 5 (without the dotted edges) and the current 
i?-choice-condition C is given as 
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X" 



i(rM+^^"M)-(2//+?/r)i<^' 

-| <min(<5f,5^^) 
|r(x;)-?/f K e) 



0«5f A Vxg^xf , 



5+ 



It now suffices to show that there is no proof of (l^l\r+), (1^2\r+), and (1^3.1.1\r+) with 
the and (5+ -rules as the only 5-rules available. 

We do this with a trivial transformation given by the substitution 

V := {5f^(5f , 5f } 

of an assumed proof of (lM\r+), (1^2\r+), and (1^3.1. l\r+) on the one hand, and with a 
deviation over invalidity and soundness on the other hand, as follows: 

Instantiating the sequents (l^.l\r+), (1^.2\r+), and (1^.3.1.1\r+) by v we get the sequents 
(lM\r-): 0<£}, 0^£^, 

0<min(5f,5^) A Vx7^<. 



\9'~{^9)-y'g \ < 



|(r(x)+^?-(x))-(|/f+yp| <£* 



0<min(5f,(5p A V^T^xf, 



\nxf)-y^\ < e] 
\xf—XQ I < 6f 

|(r(x)+^-(x))-(yf+yp| 



(1^3.1. l\r-): 



35g. Q<5g A VXgT^X^. 



The conjunction of these sequents is invalid according to the standard semantics for parameters 
as well as the semantics of [42]. This can be seen by 

{5f^l, 5f^0, £^^1, <^0, yf^O, y^^O, ^ Ax.O, ^^^Ax.O}. 

Indeed, if we instantiate (l^l\r-), (1^2\^-), and (1^3.1.1\r-) with this substitution and 
then A/3-normalize and simplify these sequents by equivalence transformations in the model of 
the real numbers R, we get the three sequents 



0<£}, false, ^ 0<£: 



V5g>0. SXgT^O. \Xg\<5g 



, false 
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^( ^ W.to. 3x,^0. Ix.K^, ^^'^^ 

false, false, ^(0<e} ^ 3x,^0. |x,|<l), ^( ^ ^^^^^^ |^^|^^^ 

Further equivalence transformation in R results in the three contradictory sequents 

0<e} 
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Oite}, O^e 



Thus, as our calculus is sound, it cannot prove ), (1^.2\r— ), and (1^.3.1.1\r'— ) in 

parallel. 

As the (5"^-rules treat free 6^- and free 5+-variables alike, and as the 5~-rules generate a smaller 
variable-condition for free 6~- instead of free 5+-variables in the principal sequents (cf. V^s+{- ■ •) 
in Figure 1), a proof of (lM\r+), (1^2\r+), and (1^3.1. l\r+) would immediately translate 
into a proof of {l^.l\r—), {1^.2\r—), and (1^.3.1.1\r'— ) with unchanged inference rules, just 
by application of the substitution u. 

Thus, we conclude that there is no proof of (1^2\^+), and (1^3.1.1\^+). q.e.d. 



Note that the above trivial proof transformation does not result in a sound proof if we replace the 
5+-rules with the 5+^-rules: Indeed, the 5+^-rules may re-use 6g, but not 6^~. 
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6.2 Defining Permutability 

A reader with a good mathematical intuition can and should directly consider the non-permuta- 
bility of (3- and 5+-steps as a corollary of Lemma 4.1 proved above. A formalist, however, may 
well require some rigorous definition of permutability. There were good reasons not to present a 
formal definition of permutability earlier in this paper: 

1. The logically weakest reasonable definitions of permutability I can think of, still result in 
the non-permutability we want to show. Indeed, we may choose any definition of per- 
mutability that contradicts Lemma 4.1. For instance, as it strengthens our non-permuta- 
bility result, we should (and will) use a notion that is weaker than the following standard 
one: Two inference steps Si and 5*0 are locally directly permutable if replacing an occur- 
rence of — — in a closed proof tree (where is also applicable instead of 5*0) with 
^3 — ^ — 53- results — mutatis mutandis — in a closed proof tree. 

's^ ^ 

2. From the viewpoint of philosophy of mathematics it is bad practice to become too con- 
crete with intuitively clear notions. For example, we should not say precisely which set 
theory we use on the meta-level as long as Zermelo-Fraenkel, Neumann-Bemays-Godel, 
Quine's NF, Quine's ML, Tarski-Grothendieck and non-wellfounded set theories [1,8] 
&c. all satisfy our needs. Although the case of permutability is not as self-evident as the 
case of set theory, the low rigor of our notion of permutability was sufficient until now. 
Indeed, there is no definition of permutability or non-permutability in Wallen's whole book 
[37], although the avoidance of non-permutability is one of its main subjects, cf. § 2. 

3. My formalization of the notion of permutability depends on the notions of a principal meta- 
variable of an inference rule and is somewhat technical and difficult, even in the rudimental 
form we will present below. 

To avoid clutter, we define permutability only for sequent calculi. The definition for tableau 
calculi is analogous. Formally, for each inference rule, we have to define which meta- variables are 
principal and which are not. On the one hand, the meta- variables of the principal formulas have 
to be principal, and an instantiation of all principal meta-variables must determine the existence 
of an instantiation of the other meta-variables such that the inference rule becomes applicable. 
On the other hand, it is not appropriate to define all meta-variables of an inference rule to be 
principal, because this results in a general non-permutability of inference steps. 

Definition 6.1 (Principal Meta- Variables) 

In our inference rules of Figure 1 in § 3.1 exactly the meta-variables A, B, x, t, x^~, and x*^ are 
principal; and the other meta-variables, i.e. U, are not principal. In lemma application steps as 
explained in § 3.2, the and Cj are principal, whereas the Bj are not. For technical simplicity, 
we ignore our definitional expansion steps on V, 3, lim, assuming a complete expansion at the 
calculus level. 
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Definition 6.2 (Inference Step) 

A proof tree is a labeled tree whose root is labeled with a sequent and whose paths are labeled 
with sequents and inference steps alternately, such that there is a proof history of applicable 
inference steps (expansion steps) and global applications of i?-substitutions on free 7-variables 
(which instantiate the free 7-variables of their domains in all occurrences in all labels of the proof 
tree, i.e. in all sequents and in all inference steps), starting from a proof tree consisting only of a 
root node. (Of course, the parent and child nodes of a node labeled with an inference step must 
be labeled with the conclusion and the premises of this inference step, respectively.) 

A proof tree is closed if all its leaves that are not labeled with inference steps are labeled with 
axioms. 

An inference step is a triple {I,t^,q) labeling a node in a proof tree where / is an inference rule 

and TT and q are substitutions of the principal and non-principal meta- variables of /, respectively; 
so that /(ttI+I^)) describes the inference step with parent (conclusion) and child (premise) nodes 
as an instance of the inference rule I. 

Note that in Definition 6.2 we indeed have to refer to the proof history because the (5+-step 
^o{^g) applied to (1^.3.1) at the beginning of §4.6 would not be admitted if we applied the 
i?-substitution a before expanding the proof tree by the (5+-step. This is because 5+-steps have to 
introduce new free (5-variables, and a would already introduce 5g before. 

Roughly speaking, permutability of two steps Si and Sq simply means the following: In a closed 
proof tree where Sq precedes Si and where Si was already applicable before Sq, we can do the 
step Si before Sq and find a closed proof tree nevertheless. 

Definition 6.3 (Permutability) 

Let (/i, TTi, ^1) and (/q, ttq, ^0) be two inference steps. 

{IijTTi, Qi) and (/o, TTo, po) are permutable for a given threshold m for j -multiplicity if 
for any closed proof tree T with 7-multiplicity m satisfying that 

1. is an inference node in T labeled with (/j, tTj, ^j), for i e {0, 1}, 

2. no, rii are, in this order and with only a sequent node in between, on the same path in T 
from the root to a leaf, and 

3. there is a substitution such that the parent sequents (conclusions) of /o(7rol±l^o) and 
of /i(7ril+l0) are identical; 

there is a closed proof tree with 7-multiplicity m which differs from T only in the subtree starting 
with no and the root label of this subtree is (/i, vri, 0). 

(/i, TTi, ^1) and (/q, ttq, ^>o) are permutable if they are permutable for any given threshold m e N 
of 7-multiplicity. 

Ii and Jo are generally permutable if all inference steps of the forms {Ii,ni, qi) and (/q, ttq, ^0) 
are permutable. 
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Figure 7: Closed proof tree with non-permutable /3 and 5'^-step 



27 



Example 6.4 

For inferring the non-permutability of (3 and 5'^ from Lemma 4.1, we have to instantiate Defini- 
tion 6.3 as follows: 

no ^ (1^3.1) — ^(1^3. 1^) (cf. §4.6) 
Iq is -i3) of Figure 1 in § 3.1 



^"0 = < 



X 

x'' 
A 

r 
n 



9 > 



Q<5g A 3Xg^XQ . 

( 0<min((5f,(5; 

A yXy^XQ. 

V 



\9^ix9)-yg\ < "-2 



\ 



< e" 



(f-{x)+g'-{x)) 
x-x^\ < mm{Sf, S^J) ) j 



n\ ~ "a new step of an alternative closed proof tree that results from the closed proof 
tree of §4.6 by permuting the /3-step at (1^.3.1^) and the steps cu^, 70(2;''^)^ applied 
to (1^.3.1). This alternative proof tree is depicted in Figure 7 above. (For pedagogical 
reasons only, we delayed the potentially sinful /3-step until we were forced to do it.)" 

I\ is (/?, A) of Figure 1 in § 3. 1 

■A ^ 0<min(5f,5^"); 

{r{x)+g^{x)) 

B ^ Vx^<. I -{yf+y';) 

^ x-xf^ I < m.m{5f, S^J) 



TTi = 



Now, the non-permutability of the critical and (^+-steps of Example 6.4 follows from Lem- 
ma 4.1, because there is no alternative proof tree which differs only in the subtree starting at uq 
and having a new subtree there starting with the critical /3-step. The deeper reason for this is that 
the instantiated free 7-variables occur outside the subtree of the ^''"-step, cf. §5.3. According 
to Lemma4.1, there is no proof of (1^.1), (1^-2) and (1^.3.1.1) with the instantiation by a given 
by the failed proof attempt. Since the partial instantiation by a agrees with the full instantiation 
in the closed proof tree of the successful proof of Figure 7, we have the required witness for the 
non-permutability of /? and indeed. Thus, as corollaries we get: 

Corollary 6.5 On a threshold for ^-multiplicity of 1, the inference steps 

((/?, A),7ri,^i) and -i3), ttq, ^»o) 

(as labels of the nodes rii and Uq, resp.) as given in Example 6.4 are not permutable. 

Theorem 6.6 /?- and 5^ -steps are not generally permutable, 

• neither in the sequent calculus of [42] (cf. our Figure 1 in §3.1), 

• nor in standard free-variable tableau calculi with 5^ -rules as the only d-rules, such as the 
ones in [14, 18]. 
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7 Conclusion 

Even with more liberalized (5-rules available today (such as 5"^^-, 5*-, S**-, and 5^ -rules, cf. § 5.3), 
the ^"'"-rules stay important, both conceptually and for stepwise presentation and limitation of 
complexity in teaching, research, and publication. For instance, the (5+-rules are the free-variable 
tableau rules used in the current edition of Fitting's excellent textbook [14]. Moreover, until very 
recently [12] nobody realized that the S*- and 5** -rules were unsound in their original publications 
(incl. their corrigenda!). 

When the 5+ -rules occurred first in [18], they seemed so simple and straightforward. Today, 
a dozen years later, they are still not completely understood. We have shown that the 5"'"-rules 
have unrealized properties yet, such as the non-permutability of and 5"*" -steps, hideed, there 
are several open problems, such as, from theoretical to practical: 

7.1 Complexity? 

Does the non-elementary reduction in proof size [7] from the 5~- to the ^''"^ -rules mean a non- 
elementary reduction in proof size from 5~ to or from 5'^ to (exponential at least [9]), or 
both? 

7.2 More Non-Permutabilities? 

Why was the non-permutability of (3 and 5+ not noticed before? May there be others around? 

7.3 Optimization? 

Although the non-permutability of /3- and J^-steps is not visible with non-liberalized 5-rules and 
not serious in theory with further liberalized (5-rules, it is always present and of major importance 
in practice; both for efficiency of proof search and for human-oriented proof presentation. The 
same holds for the optimization problem of finding a good order of application for the /?-steps. 

7.4 Are the known notions of Completeness relevant in practice? 

The mere existence of a proof is not sufficient for mathematics assistance systems, where we 
need the existence of a proof that closely mirrors the proof the mathematician interacting with the 
system has in mind, searches for, or plans. 

Freshmen who think that the 5^ -rules would admit human-oriented proof construction should 
try to do the proof of (lim+) with the 5~-rules as the only d-rules. There will be more reasons 
and occasions to use the presentation of this complete and interesting example proof for further 
reference! 

I must admit, however, that I do not know how to grasp a practically relevant notion of com- 
pleteness. The sequent calculus of our inductive theorem prover QuodLibet [6] has been 
improved over a dozen years of practical application to admit our proofs; and still needs and gets 
further improvement. 
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The automatic generation of a non-trivial proof for a given input conjecture is typically not 
possible today and probably will never be. Thus, besides some rare exceptions — as the auto- 
mation of proof search will always fail on the lowest logic level from time to time — the only 
chance for automatic theorem proving to become useful for mathematicians is a synergetic in- 
terplay between the mathematician and the machine. For this interplay — to give the human user 
a chance to interact — the calculus itself must be human-oriented. Indeed, it does not suffice to 
compute human-oriented representations; not in the end, and — as the syntactical problems have 
to be presented accurately — also not intermediately in a user interface. 

Thus, also the possibility to overcome the non-permutability of (5 and 5^ by replacing the 
5+-rules with 5+^-rules as described in § 5.4 is not adequate for human-oriented reasoning, for 
which we need matrix calculi and indexed formula trees [2, 37] to admit a lazy sequencing of 
/3-steps, so that the connection-driven path construction may tell us in the end, which sequencing 
of the /3-steps we need.^ 

7.5 Is Soundness sufficient in practice? 

The notion of safeness (soundness of the reverse inference step, for failure detection after gener- 
alization, e.g. for induction) seems to become standard [3, 23, 38, 42]. And in [39, 42] we have 
also added the notion of preservation of solutions. This means that the closing substitutions on 
the rigid variables of the sub-goals must solve the input theorem's rigid variables, which make 
sense as placeholders for concrete bounds and side conditions of the theorem which only a proof 
can tell. 

7.6 Conclusion 

Although more useful for proof search in classical logic than Hilbert [19] and Natural Deduction 
calculi [15], sequent [15] and tableau calculi [14] are still not adequate for a synergetic interplay 
of human proof guidance and automatic proof search [42], which we hope to achieve with matrix 
calculi such as CoRe [2]. 

As the automation of proof search will always fail on the lowest logic level from time to time, 
be aware: The fine structure and human-orientedness of a calculus does matter in practice! 
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Notes 



Note 1 A scornful anonymous referee of a previous version of this paper (who was the only one 
to reject it for the 14* Int. Conf. on Tableaus and Related Methods, Koblenz, 2005) wrote: 

"For once a positive comment: The first lines of page 12 finally contain a very inter- 
esting insight, namely that different non-permutabilities can hide each other." 



Note 2 Indeed, in [27] we read: 

"ml's execution profiler reported that the sharing mechanism, meant to boost effi- 
ciency, was consuming most of the run time. The replacement of structure sharing 
by copying made Isabelle simpler and faster. Complex algorithms are often the 
problem, not the solution." 
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Note 3 I did not succeed in finding a really satisfying definition of non-local permutability that 
fits the non-local situation of the failure of the (lim +) proof as presented in the lecture courses [4, 43]. 

The problem was to permute the critical /3-step from below the critical J^-steps to a place far up 
above the J+-steps. And on this partial path from P down to 5+ there were other inference 
steps which may or may not contribute to the non-permutability. Thus, instead of globalizing 
the notion of permutability I localized the example proof; although the original version had 
pedagogical advantages. 

Furthermore, note that it may be possible to demonstrate the permutability problems of the 
/3-rule with slightly smaller artificial examples. But we prefer a practical example to demonstrate 
the practical difficulties and discuss some less formal soft aspects which may be more important 
than the hard non-permutability results of this paper. Moreover, because of its many interesting 
aspects, this proof will be useful as a standard example for further reference. If you are not in 
love with formal proofs, I do apologize for the inconvenience of my decision and ask you to send 
me an E-mail of complaint if you will not have learned something that is worth your efforts in 
the end. If I receive at least three E-mails seriously stating that these efforts were in vain but the 
non-permutability deserves proper publication, I will try to produce a version of this paper with a 
somewhat smaller artificial example. 



Note 4 An anonymous referee of a previous version of this paper wrote: 

"The arguments against the use of 5+^ (that the proofs found this way are not human- 
oriented) are not convincing. It is well-known that improved Skolemization rules can 
be simulated with applications of the cut rule. So one could proceed as follows. 
Use 5+^ for proof generation, for presentation insert the respective cut steps. This 
way any forms of sophisticated Skolemization could be replaced by case distinctions, 
which are easily understandable by any human user." 

The point that is missed in this critique is the following. The automatic generation of non- 
trivial proofs is typically not possible today and probably will never be. Thus, besides some rare 
exceptions — as the automation of proof search will always fail on the lowest logic level from time 
to time — the only chance for automatic theorem proving to become useful for mathematicians is 
a synergetic interplay between the mathematician and the machine. For this interplay — to give 
the human user a chance to interact — the calculus itself must be human-oriented. Thus, it does 
not suffice to compute human-oriented representations; not in the end, and — as the syntactical 
problems have to be presented accurately — also not intermediately in a user interface. 
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